Where items or services are not reimbursable by a federal healthcare program, providers and referring parties are not subject to AKS prosecution. However, due to an emerging trend in prosecution, the absence of reimbursement from federal healthcare programs should no longer leave providers and referral sources with a sense of security that they cannot be prosecuted for kickback arrangements.

Prosecutors are increasingly bringing charges against payers and recipients of remuneration for referrals in the medical arena under the Travel Act. The Travel Act criminalizes the use of the United States mail and interstate or foreign travel for the purpose of engaging in certain specified criminal acts. The Travel Act typically enforces two categories of state laws – laws prohibiting commercial bribery (i.e. corrupt dealings to secure an advantage over business competitors) and laws addressing illegal remuneration, including specific provisions regarding improper payments in connection with referral for services.

In two very recent high profile cases, prosecutors brought charges against those allegedly involved in kickback schemes under the both AKS and the Travel Act – Biodiagnostic Laboratory Services in New Jersey and Forest Park Medical Center in Texas. Both cases have resulted in several plea bargains, yet both have charges under AKS and the Travel Act that are still pending. While no court has directly ruled on the merits of prosecuting kickback schemes for medical services and items under the Travel Act, it is noteworthy that, in the Forest Park Medical Center case, the charges under the Travel Act survived a motion to dismiss at the district court level just last month.

All parties involved in referral arrangements for medical items or services should be on heightened alert as a result of this development. Whereas AKS can only be used to prosecute parties to a kickback arrangement where federal healthcare program funds are at issue, the use of the Travel Act may broaden prosecutors’ reach to the private payor sector, even where federal healthcare programs are not involved.

In our July 10, 2017 post, Concierge Medicine – Is it for you?, we cautioned that Medicare compliance concerns do not fall away when moving to a concierge or direct-pay model. HHS has determined that concierge-style agreements are permitted as long as Medicare requirements are not violated. Unless a physician has opted out of Medicare, the predominant requirement is that an access or membership fee cannot be charged to a Medicare patient for services that are already covered by Medicare. But how does a concierge physician know where to draw the line? The relevant authorities have issued very limited guidance in this area.

In March 2004, an OIG Alert was issued reminding Medicare participating providers that they may not charge Medicare patients fees for services already covered by Medicare. OIG used, as an example, a case involving physician’s charge of $600 for a “Personal Health Care Medical Care Contract” that covered, among other things, coordination of care with other providers, a comprehensive assessment and plan for optimum health, and extra time spent on patient care. Because some of these services were already reimbursable by Medicare, the physician was found to be in violation of his assignment agreement and was subjected to civil money penalties. The physician entered into a settlement with OIG and was required to stop offering these contracts.

In 2007, OIG settled another case involving a physician engaged in a concierge-style practice. There, the physician, who also had not opted out of Medicare, asked his patients to enter into a contract under which the patients paid an annual fee. Under the contract, the patient was to be provided with an annual comprehensive physical examination, coordination of referrals and expedited referrals, if medically necessary, and other service amenities. The physician was similarly found to have violated the Civil Monetary Penalties Law by receiving additional payment for Medicare-covered services and agreed to pay $106,600 to resolve his liability.

As demonstrated by these settlements, violations of a physician’s assignment agreement results in substantial penalties and exclusion from Medicare and other Federal health care programs. It would behoove a concierge physician to tailor contracts offered to Medicare patients. Fees charged under such contracts should relate only to noncovered services and amenities. For example, fees could relate to additional screenings by the concierge physician that are not covered by Medicare or amenities such as private waiting rooms.

According to the GAO’s 2005 Report on Concierge Care Characteristics and Considerations for Medicare, HHS OIG has not issued more detailed guidance on concierge care because its role is to carry out enforcement, not to make policy. However, physicians with specific concerns regarding the structure of their concierge care agreements or practices may request an advisory opinion from HHS addressing their concerns. Advisory opinions are legally binding on HHS and the party so long as the arrangement is consistent with the facts provided when seeking the opinion.

Next week, look for the release of Medical Marijuana 105, the fifth post in a series of posts discussing the current state of law in New York regarding medical marijuana. To read the latest post in the series, Medical Marijuana 104: Responsibilities of Health Insurers, click here.

On June 14, 2017, the Sixth Circuit Court of Appeals in Breckinridge Health, Inc., et al. v. Price affirmed the district court’s finding that HHS could offset the amount of a hospital’s Medicare reimbursement by the Medicaid Disproportionate Share Hospital (DSH) payments received by such hospital. In its decision, the Sixth Circuit followed the holding of the Seventh Circuit Court of Appeals in its 2012 decision in Abraham Lincoln Memorial Hospital v. Sebelius, where the Seventh Circuit, under similar facts, came to the same conclusion.

Breckinridge Health involved various Kentucky Critical Access Hospitals that, as part of Kentucky’s contribution to the DSH program, must pay a 2.5% tax on their gross revenue (the KP-Tax). The revenue from the KP-Tax is then deposited into the Medical Assistance Revolving Trust under Kentucky law. Funds from the revolving trust are then used to fund, in part, the DSH payments made to Kentucky hospitals.

The hospitals in this case had historically sought and received reimbursement under the Medicare Act’s reasonable cost statute for the full amount of their 2.5% tax payment. However, for 2009 and 2010, full reimbursement was denied by the Medicare Administrative Contractor. Instead, each hospital’s tax costs were offset against the amount of Medicaid DSH payments such hospital actually received. This decision was upheld by the Provider Reimbursement Review Board and later the Administrator of the Centers for Medicare and Medicaid Services and, finally, the district court.

In affirming the district court’s decision, the Sixth Circuit relied on the Seventh Circuit’s rationale in Abraham Lincoln Memorial Hospital. There, Illinois hospitals paid a tax assessment to the state as a condition of participation in Medicaid “access payments.” The Seventh Circuit found that the tax assessment was a reasonable cost eligible for Medicare reimbursement. However, because the payments the Illinois hospitals received from the fund were meant to reduce expenses associated with participation in the program, including the expense of paying the mandatory tax assessment that is a condition to participation, the set off was appropriate because the net economic impact of the access payments must be considered in calculating the reimbursement.

Applying the Seventh Circuit’s rationale, the Breckinridge court reasoned that “[b]ecause the DSH payment [the hospitals] received derived from the fund into which the [hospitals’] KP-Tax expenditures were placed, the net effect of the DSH payment is to reduce, at least in part, the costs [the hospitals] incurred in paying the KP-Tax. Therefore, it constituted a refund notwithstanding the fact that it was not labeled as such.” In other words, by receiving a return of the economic value of their KP-Tax payments through the disbursement of revolving trust funds, the hospitals essentially had already been reimbursed for their KP-Tax payments and such costs were not eligible to be reimbursed again under the reasonable cost statute.

In affirming the district court’s judgment, the Sixth Circuit made clear that the standard of review is to give the judgment of HHS controlling weight unless it is “arbitrary, capricious, or manifestly contrary to the statute.” However, through its detailed review of HHS’s decision, the Breckinridge court bolsters the rationale arguably justifying the expanding view that DSH payments can properly be set off against the reasonable costs of participation.

The Medicaid Fraud Control Unit (MCFU) of the New York State Office of the Attorney General has recently issued restitution demand letters to providers for allegedly entering into percentage-based contracts with their billing agents. The MCFU letters cite the Medicaid Update March 2001, titled “A Message for Providers Using Service Agents” as follows:

Billing agents are prohibited from charging Medicaid providers a percentage of the amount claimed or collected. In addition, such payment arraignments, when entered into by a physician, may violate the Education Law and State Education Department’s regulations on unlawful fee-splitting.

A physician will be guilty of misconduct if he or she permits:

any person to share in the fees for professional services, other than: a partner, employee, associate in a professional firm or corporation, professional subcontractor or consultant authorized to practice medicine, or a legally authorized trainee practicing under the supervision of a licensee. This prohibition shall include any arrangement or agreement whereby the amount received in payment for furnishing space, facilities, equipment or personnel services used by a licensee constitutes a percentage of, or is otherwise dependent upon, the income or receipts of the licensee from such practice, except as otherwise provided by law with respect to a facility licensed pursuant to article twenty-eight of the public health law or article thirteen of the mental hygiene law.

See Educ. Law §6530(19)*.

A physician is subject to professional misconduct charges if he or she has

directly or indirectly requested, received or participated in the division, transference, assignment, rebate, splitting, or refunding of a fee for, or has directly requested, received or profited by means of a credit or other valuable consideration as a commission, discount or gratuity, in connection with the furnishing of professional care or service . . .

See Educ. Law §6531.

The prohibition against fee-splitting is related to the state anti-kickback law which prohibits physicians from

[d]irectly or indirectly offering, giving, soliciting, or receiving or agreeing to receive, any fee or other consideration to or from a third party for the referral of a patient or in connection with the performance of professional services . . .

See Educ. Law §6530 (18).

Licensed professionals in New York State must review their contracts to verify that the compensation paid to their agents is not based on a percentage of fees for professional services.

*A similar rule applies to other licensed professionals. See N.Y. Rules of the Board of Regents §29.1(b)(4).

**In addition to the Federal Anti-Kickback Statute at 42 U.S.C. §1320a-7b(b), New York has enacted its own wide-reaching anti-kickback and anti-referral laws and regulations seeking to eliminate fraud and abuse in healthcare on a statewide basis. The state anti-kickback statue is set forth in the Social Services Law (See N.Y. Social Services Law § 366-d). The N.Y. Education Law addresses matters of professional misconduct rather than violations of fraud and abuse laws and regulations.

The Supreme Court recently allowed liability through the implied certification theory of the False Claims Act (FCA), which was raised and upheld in Universal Health Services, Inc. v. United States ex rel. Escobar. The decision provided for a new applicable standard and resolved the split among circuit courts on whether to recognize the theory.

In Escobar, a teenaged patient was receiving health services from a mental health facility. The patient had an adverse reaction to medication prescribed and died of a seizure. The parents later discovered United Health Services sought reimbursement from MassHealth (the Massachusetts State Medicaid Program) for mental health services provided at the facility by individuals who did not meet the standards for licensure and other requirements. The parents then filed a qui tam suit relying on the implied certification theory of liability. The District Court ruled against the parents finding the claims for reimbursement were not expressly false because the facility made no express statement regarding the service providers. United States ex. rel. Escobar v. Universal Health Services, 780 F.3d 504 (1st Cir. 2015). On appeal, the First Circuit rejected the bright line approach and determined that compliance with licensure and other MassHealth regulatory requirements were conditions of payment sufficient to support an FCA suit. United States ex. rel. Escobar v. Universal Health Services., 780 F.3d 504 (1st Cir. 2015)

The Supreme Court held that implied false certification is a proper basis for liability under the False Claims Act where (1) “the claim does not merely request payment, but also makes specific representations about the goods or services provided”, and (2) “the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” The Court focused on defining the FCA’s materiality standard as whether the government’s knowledge of the noncompliance “would have” affected their payment decision rather than “could have”. The Court further explained that whether an obligation was a condition of payment relates to, but is not dispositive of, materiality.

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.”

Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

Recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges for failing to have a Business Associate Agreement in place when a business associate’s laptop containing thousands of individuals’ PHI was lost.

Raleigh Orthopedic Clinic agreed to pay $750,000 and to enter into a Corrective Action Plan in settlement of OCR charges that it failed to have a Business Associate Agreement in place with its Business Associate engaged to transfer x-rays to electronic media.

Triple-S Management Corporation agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

To avoid multi-million dollar settlements, Covered Entities must evaluate their relationships with third parties, and Business Associates must evaluate their relationships with subcontractors, to ensure required Business Associate Agreements are in place. Covered Entities and Business Associates should consider adopting written policies and procedures regarding their Business Associates and subcontractors to demonstrate their efforts at compliance.

*My thanks to Farrell Fritz summer associate Joanna Lima for her assistance with this blog posting.

In our previous post [found here], we explained that, under the Privacy Rule, HIPAA covered entities (health care providers and health plans) must provide individuals and their “personal representatives” with access to the individual’s protected health information. An individual’s personal representative is determined under State law. In this post, we will define who is a “personal representative” under New York law.

Section 18(2) of the New York Public Health Law (PHL) states that, upon written request, a health care provider shall provide an opportunity, within ten days, for a patient to inspect the patient’s information concerning or relating to the examination or treatment of the patient. Upon the written request of any qualified person, a health care provider shall furnish to the qualified person, within a reasonable time, a copy of any patient information requested which the authorized person may inspect. The law provides no specific time period by which copies of medical records must be provided. However, the New York State Department of Health considers 10 to 14 days to be a reasonable time in which a practitioner should respond to such a request.

A “qualified person” under PHL§ 18(1)(g) includes:

the properly identified patient;

a guardian for an incapacitated person appointed under article eighty-one of the mental hygiene law;

a parent of an infant or a guardian of an infant appointed under article seventeen of the Surrogate’s Court Procedure Act or other legally appointed guardian of an infant who may request access to a clinical record;

a distributee of any deceased subject for whom no personal representative, as defined in the Estates, Powers and Trusts Law, has been appointed; or

an attorney representing a qualified person or the subject’s estate who holds a power of attorney from the qualified person or the subject’s estate explicitly authorizing the holder to execute a written request for patient information.

PHL§ 18(1)(g) states that a qualified person shall be deemed a “personal representative of the individual” for purposes of HIPAA and its implementing regulations. Although not a “qualified person,” an agent appointed under a patient’s Health Care Proxy may also receive medical information and medical and clinical records necessary to make informed decisions regarding the patient’s health care (See PHL § 2982(3)). Presumably, the holder of a Health Care Proxy would also be a “personal representative of the individual” for purposes of HIPAA, although there is no explicit statement to that effect in PHL § 2982.

There are circumstances where a qualified person may be denied access to inspect or obtain a copy of the patient’s records. In the next post, we will explain those circumstances.

Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)). OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”. OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested. For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

CMS has published a Proposed Rule to clarify how physicians are to bill for services furnished “incident to” the professional services of a physician.

When a medical practice bills Medicare “incident to” for NPP services (i.e. “non-physician practitioners” such as nurses or physician assistants), the bill is rendered by the physician using the physician’s NPI number. Incident to services billed by the physician are paid at 100 percent of the fee schedule amount even though the physician did not perform the services. When the same services are billed by the NPP, the services are paid at 85 percent of the fee schedule amount. Specific requirements must be met for physicians to bill Medicare for incident to services. The services must be:

Furnished in a noninstitutional setting to noninstitutional patients.

An integral, though incidental, part of the service of a physician in the course of diagnosis or treatment of an injury or illness (understood to mean a physician has seen the patient first and initiated a plan of care being carried out by the NPP).

Furnished under direct supervision of a physician or other practitioner eligible to bill and directly receive Medicare payment (meaning the physician is present in the office suite).

Furnished by a physician, a practitioner with an incident to benefit, or auxiliary personnel.

NPP services may be billed under the physician’s NPI number when the services are part of the patient’s normal course of treatment, during which a physician performed an initial service and remains actively involved in the treatment.

The current regulations have caused confusion. The regulations state that the “physician supervising the auxiliary personnel need not be the same physician upon whose professional service the incident to service is based.” My interpretation of this is that a physician other than the physician that initiated the plan of care may supervise the NPP in the provision of services and such services will qualify as “incident to” if all other requirements are met. What remains unclear is which physician should bill for the incident to services, the supervising physician or the physician that initiated the plan of care. The proposed rule attempts to clarify that the billing physician must be the physician that supervised the services and not the physician that initially saw the patient and instituted the plan of care.

Care must be taken to ensure the supervising physician’s NPI number is used. This can be a challenge in busy medical offices where the physicians are regularly in the OR or conducting rounds.

On November 10, 2014, the US Department of Health and Human Services released its investigation report regarding the death of actress and comedian Joan Rivers. The report, called a “Statement of Deficiencies and Plan of Correction”, highlights numerous mistakes and violations made by Yorkville Endoscopy, the treating facility where Ms. Rivers died (Ms. Rivers was identified as “Patient #1”). Health care providers, facility owners, and administrators can learn some basic but important lessons from the report’s findings.

1. Have appropriate policies and procedures (“P&Ps”) in place as required by your licensing agency and accrediting body. Yorkville Endoscopy is licensed by the State of New York as an ambulatory surgery center (“ASC”) under Article 28 of the Public Health Law, and accredited by the American Association for Accreditation of Ambulatory Surgery Facilities. The State regulatory requirements for an ASC are much more rigorous than the requirements for non-licensed outpatient surgery centers in New York. P&Ps cover issues including clinical practices, patient consents, procedures, anesthesia, billing, provider credentialing, employment and more. An administrator, compliance officer, or other responsible party may review the regulations and accreditation standards, consult with the accrediting body, legal counsel or a consultant, and can purchase policy manuals from numerous sources.

2. Follow your own policies and procedures. The report cites numerous examples of Yorkville Endoscopy failing to follow its own P&Ps. For example, the staff failed to follow the “Time Out” policy which helps ensure that the correct procedure is being performed; also, one of the physicians performing the procedures was not credentialed by the facility, in violation of the Physician Credentialing P&P. A facility’s P&P manual should not be gathering dust on a shelf in a back office (same goes for the Compliance Manual). If a particular policy or procedure is not effective, the facility should develop a new policy or procedure that works better. A facility that consistently follows its own P&Ps exhibits traits of a compliant and quality oriented organization; while this will not prevent accidents or unexpected occurrences, many issues may be avoided. All staff, including physicians, should be regularly educated on the facility’s P&Ps.

3. Credentialing protects you. The federal report stated that one of the physicians performing a procedure on Ms. Rivers was not credentialed by the facility. Credentialing is a fairly simple process that allows a facility to review a provider’s licensure, education and work history, insurance, and past lawsuits or disciplinary actions before allowing them to treat patients. This enables a facility to determine whether a provider meets facility requirements in general, and often whether they are qualified for specific procedures. This helps weed out bad providers up front, limits certain procedures to physicians with an appropriate level of training and experience, and allows the facility to have a record of who is providing services under its roof.

4. Keep the cameras away from the patients. The report notes that one of the physicians took a photograph of Ms. Rivers with his cell phone while she was under sedation during a procedure. There is no evidence she consented to this photo. This is a violation of Ms. Rivers’ right to privacy (under HIPAA and State laws), and violated the facility’s own “Cell Phone Policy.” Taking photos of patients without their consent exposes the individuals and their facilities to liability, and often results in loss of employment for the offending staff. Facilities should review their photo and video policies, with an eye toward protection of the privacy of patients, staff and guests.

5. Beware of “VIP Medicine”. Accommodating a VIP in certain ways is reasonable and acceptable, but it is not occasion to ignore important policies and procedures. The investigation states that Ms. Rivers’ medical record did not contain an informed consent for the nasolaryngoscopy, and contained no documentation of her body weight (needed to calculate anesthesia dosages). Allowing a VIP to enter though a separate door to increase their privacy, keeping their visit private, or using a private room are certainly appropriate. However, clinical guidelines should be followed regardless of the star power of the patient. This means they must be subject to the same clinical oversight, undergo the same process for obtaining informed consent for any procedure, and receive the same pre-procedure screening and testing in accordance with good medical practices.

It is unknown whether compliance with any of the above-noted issues would have resulted in a better outcome for Ms. Rivers – sometimes the negative risks discussed during the informed consent process do occur, and sometimes this results in the death of a patient. What is clear is that inattention to regulations, failing to follow basic policies and procedures, and violating a patient’s rights suggest a facility and providers that fail to place a high value on quality of care and the safety of their patients.